Skip to content
nusenu edited this page Feb 13, 2016 · 10 revisions

What parts of my tor relay configuration/operation does this ansible role cover?

tldr: everything is taken care of ;)

Tor (Repo and) Package Installation

  • Linux
    • APT: enables torproject.org's repository and installs the repo signing key
    • RPM: enables EPEL on CentOS
    • CentOS/Fedora: takes care of SELinux configuration (enable 'tor_can_network_relay' boolean)
  • OpenBSD:
    • package installation via pkg_add (expects you to have the snapshot repository enabled in /etc/pkg.conf - until OpenBSD 5.9 is released)
    • takes care of sysctl/kern.maxfiles and login.conf/openfiles-max
  • FreeBSD:
    • installs the tor package (via pkg)
    • take care of kern.ipc.somaxconn + kern.ipc.nmbclusters

Tor Instance Creation

  • (offline+online) key generation (on the ansible host)
  • transfers RSA and online Ed25519 keys to the relay
  • creates multiple tor instances on a single server (default: 2 per available IP address, configurable)
  • takes care of DataDirectory creation and filesystem permissions
  • runs every tor instance with a distinct system user
  • automatically detects/enables IPv6 support
  • startup configuration: enable all tor instances to start at boot
    • Linux: systemd multi-instance service file ([email protected])
    • OpenBSD: rcctl - linking the default rc script once per tor instance
    • FreeBSD: /etc/rc.local
  • Tor Instance Configuration (torrc)
    • automatic MyFamily configuration
    • ContactInfo configurable

Ed25519 Key Renewal

  • easy Ed25519 key renewal

ansible-playbook yourplaybook.yml -t renewkey